Nginx [SOLVED]: Is HTTPS behind reverse proxy needed?

Nginx [SOLVED]: Is HTTPS behind reverse proxy needed?

Home Forums Nginx Nginx [SOLVED]: Is HTTPS behind reverse proxy needed?

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
  • #36697



    I have an API server running behind an nginx reverse proxy. It is important to have all requests to my API server be secured via TLS since it handles sensitive data.

    I’ve setup nginx to work with TLS (LetsEncrypt) so that seems to be okay. However, requests from nginx to my API server are still insecure http requests (this is all happening across docker containers, by the way).

    Is it a best practice to also setup https between the reverse proxy and the API server? If so, how would I go about doing that without over-engineering it?



    Accepted AnswerAnswer

    It all comes down to how secure or paranoid you’d like your implementation to be. It may also depend on the type of data you’re playing with. For instance: I’d definitely do this for credit card numbers or other sensitive information.

    As the comments have already stated, you would typically terminate SSL connections at the front facing webserver, assuming the API backend is also inside your LAN, which you trust and control. If you want to go that extra mile, you could also set up SSL on the API backend. Details of how to do that depend on the software you’re using on your backend.

    If you do decide to implement SSL on the API backend, the setup would be similar to what you did to setup Nginx with SSL on the frontend, with the main difference being you don’t need to use a public certificate on the backend. It can be self-signed, since no one else besides your web server will be talking to it. Then it’s just a matter of fixing all the URIs in your code to use HTTPS.

    Author: AfroThundr
    Creative Commons License
    This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.